Tombstone Transformation Functions for Ensuring 
Consistency in Collaborative Editing Systems 

Gerald Oster Pascal Molli, Pascal Urso and Abdessamad Imine 

Institute for Information Systems Nancy-Universite 

ETH Zurich LORIA 

Email: osterg@inf.ethz.ch Email: {molli,urso,imine}@loria.fr 


Abstract —In collaborative editing, consistency maintenance 
of the copies of shared data is a critical issue. In the last 
decade, Operational Transformation (OT) approach revealed as 
a suitable mechanism for maintaining consistency. Unfortunately, 
none of the published propositions relying on this approach are 
able to satisfy the mandatory correctness properties TPi and 
TP 2 defined in the Ressel’s framework. This paper addresses 
this correctness issue by proposing a new way to model shared 
state by retaining tombstones when elements are removed. An 
instantiation of the proposed model for a linear data structure 
and the related transformation functions are provided. 

I. Introduction 

Collaborative editing systems allow users to edit the same 
document from multiple sites across Internet. Users could be 
distributed in space working at different places. Depending 
on the work context, they can work synchronously or asyn¬ 
chronously. Synchronous collaboration is also called real-time 
editing since when a user performs some modifications on 
the document, these modifications are instantly sent to other 
users who can see them without any delay. In the contrary, 
in asynchronous collaboration, users may not work at the 
same time. They work in isolation: they can decide when to 
publish their modifications and when to integrate modifications 
performed by other users. 

In these systems, the shared documents are commonly 
replicated at multiple sites. Parallel modifications on these 
copies may happen and therefore there are exposed to potential 
inconsistencies. One of the main issues in collaborative editing 
is how to maintain consistency of shared documents copies. 
Consistency maintenance mechanisms are classified in two 
categories whether they are pessimistic or optimistic. 

Pessimistic approaches try to give the impression there is 
only one highly available copy in the whole system. Only one 
copy - or part of a copy - can be edited at the same time while 
all the copies can be read. This principle is generally realised 
using a locking mechanisms such as in database transaction 
systems [2] or in turn-taking protocols [8]. Over the years, 
this class of mechanisms revealed unsuitable for collaborative 
editing even though they ensure strong consistency. They 
place too many restrictions on collaborative interactions - no 
concurrent updates are allowed - and they do not support 
work disconnected from the network. Furthermore, the lapse 
of time during which the system asks for a lock makes these 
mechanisms not appropriate for real-time editing. 


On the contrary, optimistic approaches [24] are more suit¬ 
able for collaborative editing since they tolerate divergence 
between copies as much as they will converge to the same 
value in the end. In particular, one approach so-called Opera¬ 
tional Transformation [6] (OT) has been specifically designed 
to fulfil the requirements of collaborative editing. In this 
approach, updates performed by one user are applied on 
the local copy without any delay. Next, they are broadcast 
to other copies whether synchronously or asynchronously. 
Finally, updates have to be executed on the remote copies. 
Incoming updates are transformed according to concurrent 
updates that might have been performed in the meantime on 
these remote copies. These transformations are computed in a 
way that will ensure convergence of the copies. It is worth to 
point out the local response time is not sensitive to network 
latencies since local updates are executed immediately. 

Since the initial work of Ellis et al. [6], several OT frame¬ 
works [23], [28], [13], [15] have been proposed. The first 
OT framework was developed in 1996 by Ressel et al. [23]. 
This framework makes a strong separation between a generic 
integration algorithm and specific transformation functions. 
Transformation functions depend on the type of shared data, 
whereas the integration algorithm does not. If a developer 
of a collaborative editor wants to provide sharing of one 
specific data type, he has to write the adequate transformation 
functions and prove they conform to the two correctness prop¬ 
erties TPi and TP 2 . Under these conditions, the integration 
algorithm will ensure that causality between operations is 
preserved and convergence of copies is achieved. 

Unfortunately, satisfying TP 2 is very difficult. It has been 
proven [11], [13] that all proposed transformation functions 
are not correct regarding this property. 

A proposed solution to this problem was just to require 
only TPi property and fix a total ordering on the integration 
of operations. The SOCT4 algorithm [29] implements this 
strategy while conserving the generality of the OT approach. 
The S06 synchronizer [1] based on SOCT4 demonstrated the 
use of this OT’s strength to build a tool very similar to CVS 
capable to reconciliate a file system containing text files and 
XML documents. Unfortunately, building the total ordering 
requires a central site or a stable pool of sites [5]. These new 
constraints prevent SOCT4 to be used in a pure decentralized 
environment such as a peer-to-peer network. 



In order to escape from TP 2 property, other frameworks 
have been proposed [16], [9], [20]. Although these frameworks 
are very interesting, their integration algorithms are closely 
related to linear-structure properties of shared document for 
which they have been designed. Thus, in order to handle new 
types of data or to allow more operations to be performed on 
the data, the integration algorithm has to be modified and some 
new correctness properties must be determined and proven 
on it. Hence, if they propose new ways to model and solve 
consistency problems, they do not have yet the generality of 
the original Ressel’s framework. 

This paper presents the first set of transformation functions 
that ensures TP\ and TP 2 . This new set is the transposition 
into the Ressel’s framework of the idea of tombstones devel¬ 
oped in [20]. This new set of transformation functions, called 
TTF (Tombstones Transformation Functions), demonstrates 
that it is possible to instantiate the Ressel’s framework. 

This paper is structured as follows. We start by present¬ 
ing the Ressel’s framework. We then describe our approach 
and discuss its correctness. After, we relate our approach to 
previous works. Finally, we conclude and point some future 
work. 

II. Background and Open Problems 

A collaborative editing system consists of a set of partici¬ 
pant systems connected by a communication network. In the 
following, a participant system is called a site. There is one site 
per user. Usually a site correspond to one user’s workstation, 
however sometimes one computer might run multiple sites. 
Because the response time demands of collaborative editing 
systems are so high, and in order to support collaborative work 
in isolation, the shared data state are replicated at every site. 
In other words, a collaborative editing system is modelled 
as follows. It considers n sites, each site owns a copy of 
shared data. When a site performs an update, it generates a 
corresponding operation. Every operation is processed in four 
steps: (i) executed on one site, (ii) broadcast to other sites, 
(iii) received by other sites, (iv) executed on other sites. 

The OT approach distinguishes two main components: 

• an integration algorithm. This algorithm is in charge of 
reception, diffusion and execution of operations. When 
necessary, it calls transformation functions. This algo¬ 
rithm does not depend on type of replicated data ; 

• a set of transformation functions. These functions merge 
concurrent modifications in transforming two concurrent 
operations in order to execute them in a serial order. 
These functions are specific to a particular type of repli¬ 
cated data such as string of characters, XML document 
or file system. 

The study of this paper is restricted to shared document 
relying on a linear structure. Problems and proposed solutions 
can be generalised to more complex structures such as hierar¬ 
chical structures as shown in [4], [18], [10]. Without loss of 
generality, in the remaining of this paper, the shared document 
is considered to be a string of characters. A string of characters 
might be updated by performing two kinds of operations: 


• ins(p,c) inserts a new character c at position p in the 
string. 

• del(p ) removes the character located at position p in the 
string. 

The first character of a string is assumed to be located at 
position 1. 

Over the years, consistency maintenance in OT has been 
refined to the guarantee of two criteria: causality preservation 
and convergence of copies. 

Considering two operations opi and op 2 , operation opi 
is said to precede op 2 if and only if op 2 is generated on 
a copy after opi was executed on this copy. Subsequently, 
op 2 may depend on effects of execution of op\. Causality 
preservation criterion ensures that all operations ordered by a 
precedence relation, in the sense of the Lamport’s happens- 
before relation [12], will be executed in the same order on 
every copy. Two operations op\ and op 2 that are not related 
by a precedence relation (neither opi precedes op 2 , nor op 2 
precedes opi) are said concurrent. 

I site 11 I site 21 

|“abc”| |“abc”| 

opi=ins(3,x) op 2 = del(2) 



\axc\ | gear] 

Fig. 1. Divergence problem. 


Two concurrent operations can be executed in different order 
on two different copies. Consequently, when an operation is 
received on one site, the current state of shared object may be 
different from the one where the operation has been generated. 
Thus, executing this operation in its generated form on a 
remote site may not preserve its effects and the copies may 
not converge. Figure 1 illustrates such a scenario. Operations 
opi and op 2 have been generated concurrently on two different 
copies of the string “abc”. opi inserts an x at position 3 to 
obtain the string “abxc”, while op 2 removes the characters 
b located at position 2. If these operations are executed as- 
is when they are received by other sites, it leads to the two 
divergent states “axe” and “acx” as depicted in Figure 1. 

In order to solve this kind of consistency problems, El¬ 
lis et al. [6] introduced a transformation function T. This 
function is used to transform remote operations when they 
arrive on a site. Remote operations are transformed regarding 
concurrent operations that were already executed on local 
copy. 

For instance, in our previous example, op\ is not any more 
executed as soon as it arrives on site 2, but it is transformed 
regarding concurrent operations, in our case operation op 2 . 
As op 2 removed a character located before the insertion 
position of opi, the insertion position of op-\ is decreased of 
one position to take into account previous execution of op 2 . 
Consequently, on site 2, operation op\ = ins(2, x) has to be 




opi = ins{ 3, x) op 2 = del( 2) 



del( 2) T{op\.opf) = ins(‘2.x) 



Fig. 2. Convergence by transforming. 

executed (see Figure 2). Intuitively, the transformation used is 
defined as follows: 

T(ins{pi,ci),del(j>2)) 

if (pi < pi) return ins(p\,c\) 
else return ins(pi - 1, ci) 

Definition 1 A transformation function 1 T takes two concur¬ 
rent operations as parameters. These two operations, namely 
opi and op2 , must be defined on a same state S. The function 
computes a new operation T(op -\, op2) equivalent to op-\ - i.e. 
has the same effects - but defined on the state SOop^. SQop 2 
is the state resulting from the execution of 0P2 on state S. 

Later, Ressel et al. [23] identified two properties TP\ and 
TP 2 which must be satisfied by transformation functions 
for ensuring convergence of the copies independently of the 
integration order of concurrent operations. 

Definition 2 For every two concurrent operations op-\ and 
op2 defined on the same state, the transformation function T 
satisfies TP\ property if and only if: 

opi O T(op 2 , opt) = op 2 O T(opi, op 2 ) 

where opioopj denotes the sequence of operations containing 
opi followed by opj ; and where = denotes equivalence of the 
two sequences of operations. 

This first property TPi expresses equivalence between two 
sequences. Given two concurrent operations op\ and op 2 , the 
execution of the sequence of opi followed by T(op2,op±) on 
a state S must produce the same state as the execution of the 
sequence of op 2 followed by T{op-\, op 2 ). 

Definition 3 For every three concurrent operations op-\, op2 
and op-.i defined on the same state, the transformation function 
T satisfies TP 2 property if and only if: 

T(op 3 , opi o T(op 2 , opi)) = T(op 3 , op 2 o T(op 1 ,op 2 )) 

This second property 7\P 2 stipulates equality between two 
operations transformed with regard to two equivalent 2 se¬ 
quences of operations. Given three operations opi, op 2 and 



op 3 , the transformation of op 3 with regard to the sequence 
formed by op 2 followed by T(op \, op 2 ) must give the same 
operation as the transformation of op 3 with regard to the 
sequence formed by op-\ followed by T(op 2 ,opi). 

Ressel et al. [23] demonstrated that these two properties 
TPi and TP 2 are sufficient to ensure convergence of copies 
independently of the order in which concurrent operations are 
transformed. 

With a correct set of transformation functions, the inte¬ 
gration algorithm ensures consistency and the resulting col¬ 
laborative editing tools would be reliable. Indeed, most of 
the OT integration algorithms have been proven [25], [17] to 
ensure convergence of copies if the underlying transformation 
functions satisfy the properties. Unfortunately, currently none 
of the transformation functions proposed are correct regarding 
TPi and TP 2 properties. Imine et al. [11] used a formal 
approach based on a theorem prover to check correctness of 
all previously published set of transformation functions. And, 
they found counterexamples for each proposition. Li et al. [13] 
gave also a counter-example for the transformation functions 
proposed by Imine et al. [11]. In Section IV, we will give a 
counter-example for [13]. Therefore, currently there is no cor¬ 
rect transformation functions and consequently the operational 
transformation cannot be used to build a safe decentralized 
collaborative editing system. 

In this paper, we present the first set of transformation 
functions satisfying both TPi and TP 2 properties. Conse¬ 
quently, these transformation functions could be used with any 
integration algorithm previously published. 

III. Transformation Functions 

All the transformation functions previously published do not 
satisfy TP 2 property because they fail to solve a variant of the 
same problem. Even if some counterexamples are more com¬ 
plicated - involving partial concurrency between operations - 
the basic problem remains the same. This problem, presented 
in Figure 3, involves three concurrent operations : ins(2,x), 
del(2) and ins(3,y). 



opi = ins(2,x) op 2 = del( 2) op 3 = ins(3,y ) 



When opi = ins(2,x) is received on site 2, it is trans¬ 
formed according to op 2 . This transformation does not change 
insertion position of opi, and, returns as result the operation 
op\ = ins(2, x). When op 3 = ins(3,y ) is received on site 
2, it is transformed according to op 2 . Its insertion position is 






decreased and thus it becomes op' 3 = ins(2. y). At this point 
on site 2, if the algorithm has to transform op\ according 
to op 3 , or op 3 according to op\ , then it must break a tie 
because their current positions of insertion are equal. To break 
this tie, all the approaches choose a different way: initial 
positions for IMOR [11], sets of concurrent deletions for 
Suleiman et al. [25] or state difference for Li et al. [13]. Unfor¬ 
tunately, all these approaches fail to order correctly x and y in 
some cases. And, all the counter-examples [11], [13] violating 
TP 2 property are only instances of this tie. Nevertheless, on 
the initial state, character b obviously separates x and y; b is 
called landmark character by Li et al. [15]. Consequently, the 
algorithm must insert x in front of y on all sites. 

A. (U)ncompacted-TTF Model 

Our idea is to keep the deleted character b as a tombstone. If 
a character is deleted, the system maintains useful information 
about its former position but not its whole content. Tomb¬ 
stones are well known in distributed systems. For example, 
they are heavily used in Usenet 3 to make conflicts between 
update/delete operations non ambiguous [24]. 

For a character string, it is equivalent to keep the character 
in its position and mark the character as invisible. If the shared 
data is a more complex linear data structures such as a list of 
lines instead of list of characters, it means that the system will 
maintain the identity of the line but not its content. 



Consequently, hidden characters must remain present in the 
model of the string from a site, but are hidden from the 
view of the string seen by the user. The model of the string 
S becomes a sequence of ordered pairs ( character, visible ) 
where visible is a boolean attribute. This model and its 
behaviour are illustrated in Figure 4. Suppose a user inserts 
the character y between b and c, then the operation ins(3,y) 
is generated on the view, but this operation is executed on 
the model as ins(5,y ) since the characters h and n have 
previously existed. This is also the operation ins( 5, y) which 
is broadcast and will be transformed on all other sites. 

To perform the conversion between the position of an 
operation in the model and the position in the view, the system 
uses the following function: 
viewToModel(int pview, S) : int { 
int n=1, j=1; 

while ((j < length(S)) and (n<pview or not S[j].visible)) { 
if (S[j ]. visible) n++; 


} 

return j; 

} 



Suppose the system has to execute a newly operation 
ins(p, c) generated from the view, then, on the model, it has 
to seek out the first position located after finding p visible 
characters and then skips all removed characters (tombstones) 
situated after this current position. The complete functions to 
execute local operations and remote operations are described 
in Figure 5 and in Figure 6. The function shiftRight(S,p) 
makes a new room in the string S at position p by shifting to 
right every character in the range [p; length(S)}. In the same 
way, shiftLeft(S,p) removes the element located at position 
p - I in the string S by shifting to left every character in 
the range \p;length(S)]. It is worth to note these functions 
are commonly required to insert or remove an element in the 
string, even without using the TTF data model. 

executeLocal(ins(x,pview), S) { 
int pmodel=viewToModel(pview); 
shiftRight(S,pmodel); // make room for the new character 
S[pmodel]=x; 

broadcast(ins(x,pmodel)); 

} 

executeLocal(del(pview), S) { 
int pmodel=viewToModel(pview); 

S[pmodel].visible=false; 
broadcast(del(pmodel)); 

1 _ 

Fig. 5. Local executions in the U-TTF model. 

Executing a received operation is different from executing 
a local operation. So we define two functions execute Re- 
mote(ins(x,p), S) and executeRemote(del(p), S) described 
in Figure 6. 

executeRemote(ins(x,pmodel), S) { 
shiftRight(S,pmodel); // make room for the new character 
S[pmodel]=x; 

} 

executeRemote(del(pmodel), S) { 

S[pmodel].visible=false; 

J_ 

Fig. 6. Remote executions in the U-TTF model. 

This strategy leads to the trivial transformation functions 
presented in Figure 7. An additional parameter sidi has been 
added to operations. It identifies in a unique manner the site 
on which the operation has been generated. Identifiers of two 
insert operations are compared in order to break the tie when 
two insertions have been performed concurrently at the same 
position. 

Since the execution of a del() operation replaces the re¬ 
moved character with a tombstone, it does not affect the 
position of other characters in the string. Consequently, per¬ 
forming a transformation of an operation op according to a 
del () operation does not modify the effect position of op. 

Transformation functions of any operation according to 
an insQ operation are defined as originally done by Res- 
sel et al. [23]. When two insert operations have the same 



T(ins(pi, ci, sidi), ins (p 2 , c 2 , sid 2 )) 
if (pi < p 2 ) return ins(pi, ci, sidi) 
else if (pi =p 2 and sidi < sid 2 ) return ins(pi,ci,sidi) 
else return ins(pi + l,ci,sidi) 

T(del(pi, sidi), ins(p 2 ,c 2 , sid 2 )) 
if (pi < p 2 ) return del(pi,sidi) 
else return del(pi + 1, sidi) 

T(ins(pi, ci, sidi), del(p 2 , sid 2 )) 
return ins(pi,ci,sidi) 

T(del(pi,sidi),del(p 2 ,sid 2 )) 
return del (pi, sidi) 


Fig. 7. TTF transformation functions. 


position p, the character produced by the site with the lower 
range is inserted at p; the other character is inserted at position 
p + 1. 

We have proven that TTF ensure TP\ and TP 2 . Due to 
space limitations, the proof is not included in this paper. This 
proof was built using the automatic theorem prover SPIKE [3]. 
The full specification and how the proof is built by the theorem 
prover is available in [19]. But even without SPIKE, it is easy 
to see that, in opposite to traditional transformation functions, 
the TTF are monotonic transformations of the effect position 
of operations since they only compute additions. Hence, the 
position of one character will grow monotonically to the 
same value independently of the equivalent transformation 
path taken. 

This monotonic property has another interesting conse¬ 
quence: TTF preserve order relationships between characters 
which is considered in [13] as an instantiation of the intention 
preservation criterion defined by Sun et al [28]. In [13], the 
intention of ins(p,c ) operation is expressed by the relation 
-<. If one user generates op = ins(p,c) on a site where x is 
visible at a position less than p, and y is visible at a position 
greater or equals than p, then the ordering x -< c -< y is 
set. Concerning a del(p) operation executed on a string S, its 
intention is to remove the character 5[p]. Please note that in 
our model the del(p) does not remove the character but makes 
it invisible. Preserving intention of ins() operations means that 
the -< relations hold on all further states. Since in our model 
del() operations do not affect the positions of characters, this 
ordering will always be kept sound on the generation site 
of op. Moreover, using our TTF all copies on all sites will 
eventually converge to the same string. Consequently, for any 
operation ins(p, c ) the ordering x -< c y will be preserved 
in any further states. In other words, TTF can ensure intention 
preservation criterion as defined in [13]. 

B. Inverses of Transformation Functions 

Some algorithms such as SOCT2 [25], GOT [28] and 
GOTO [27] required to define additional functions called “ex¬ 
clusion transformation” [28]. These functions are the inverses 
of the transformation functions. Since the TTF transformation 


functions are injective functions, defining their inverse func¬ 
tions is straightforward. Figure 8 gives the definitions of the 
inverses of the TTF transformation functions. 


T~ 1 (ins(pi,ci,sidi), ins(p 2 , c 2 , sid 2 )) 
if (pi < p 2 ) return ins(pi,ci,sidi) 
else if (pi =p 2 and sidi < sid 2 ) return ins(pi,a,sidi) 
else return ins(pi - l, a, sidi) 

T~ 1 (del(pi, sidi), ins(p 2 ,c 2 , sid 2 )) 
if (pi < p 2 ) return del (pi, sidi) 
else return del(pi - 1, sidi) 

T~ 1 (ins(pi,ci,sidi),del(p 2 , sid 2 )) :— 
return ins(pi,a,sidi) 

T~ 1 (del(pi, sidi), del(p 2 , sid 2 )) 
return del(pi,sidi) 


Fig. 8. Inverses of TTF transformation functions. 

The preconditions of the inverse of a transformation func¬ 
tion required that the first parameter operation is resulting from 
a transformation according to the second one. Indeed, it is 
not allowed to call this inverse function in order to swap two 
operations causally dependent because these operations were 
not concurrent, and thus were not previously “serialised” using 
transformation functions. For instance, consider the string of 
characters “abc” and two operations op\ = ins (2, x) and 
op2 = del( 2) executed in this order on the string of characters. 
The resulting state after the executions of opi and op 2 is “abc”. 
Since, these two operations are causally dependent as op 2 
deletes the character inserted by op \, it is forbidden to try 
to swap these two operations in order to execute them in the 
reverse order (op 2 then op\). Performing such transformations 
will compute the sequence of operations [del(T),ins(l,x)\ 
whose execution will lead to the wrong state “xbc”. These 
preconditions are always ensured by OT integration algorithms 
such as SOCT2 for example. 

C. Optimising TTF Approach 

Compared to existing approach, the function viewTo- 
Model() has to be computed each time a character is gen¬ 
erated. Its time complexity is linear to the size of the text. In 
case of asynchronous editing this complexity has no impact 
since operations are generated when user edition is finished. 

In case of real time editing, this extra time will slow down 
the local response time if the text is long. However, we can 
obtain a good response time by a simple optimisation. In an 
editor, local operations are relative to the caret position. In¬ 
deed, the viewToModel() computes the position of the caret in 
the model. This position could be stored as the global variable 
caretPosition. And, its value is updated when the user moves 
the caret in the text with the procedure updateCaret(oldPos, 
newPos, S). The parameters oldPos and newPos are the old 
and new caret positions in the view presented to the user. 





updateCaret(int oldPos, int newPos, S) { 
int i = oldPos; 

if (newPos > oldPos) { //move right 
while (i <> newPos) { 
if (S[caretPosition]. visible) i++; 
caretPosition++; 

} 

// skip removed char 

while (caretPosition < length(S) 

and not S[caretPositionj. visible) 
caretPosition++; 

} else { // move left 
while (i <> newPos) { 
if (S[caretPosition-1], visible) i—; 
caretPosition —; 

} 

} 

2 _ 

The executel_ocal() functions could be rewritten as fol¬ 
lows: 

executeLocal(ins(x,caretPosition), S) { 
shiftRight(S. caretPosition); 

S[caretPosition] =x; 
broadcast(ins(x,caretPosition)); 

} 

executeLocal(del(caretPosition), S) { 

S[caretPosition]. visible = false; 
broadcast(del(caretPosition)); 

} 


D. (D)elta-TTF Model 

Although tombstones is a very easy solution for the OT 
approach, TTF retains a tombstone to mark a deleted character. 
So, the space overhead of tombstones grows indefinitely. Two 
solutions are generally used to solve this issue in distributed 
systems. The first one is based on an expiration period which 
is associated to each tombstone. A tombstone is definitively 
suppressed as soon as its period expires. It is well-known that 
this method is unsafe. An operation assuming presence of 
some tombstones might arrive after their expiration periods, 
in this case this operation cannot be executed properly. The 
second solution employs a two-phase protocol to purge safely 
the tombstones as described in [24], Unfortunately, such a pro¬ 
tocol requires all sites must be alive for the algorithm to make 
progress. In other words, it means that all participants using 
the collaborative editing system must be and stay connected 
until the garbaging is finished. This assumption is not suitable 
for asynchronous collaborative editing systems. 

In our context, this problem is equivalent to managing a 
sparse array where deleted characters are considered as zero 
entries. The basic idea when storing this kind of array is to 
only store the non-zero entries as opposed to storing all entries. 
Hence, we present now another model to store the local string. 
Each visible character keeps an integer value equals to 1 + 
the number of invisible characters located between it and the 
visible character preceding it. This new model is depicted in 
Figure 9(b). This new model requires to add a special invisible 
character named C e which is used to keep the number of 


characters plus one which were located after the last visible 


characters and have been removed. 



Fig. 9. Difference between U-TTF and D-TTF models. 


The viewToModelD function is rewritten as follows: 

viewToModelD(int pos, S) : int { 
return S[k].offset; 

2 _ 

The functions of Figure 10 describe the execution of a 
local insert or delete operation. S' is a sequence of pair 
(character, relativeposition). S[p].offset returns the relative 
position of the character stored at position p in S. Figure 11 
defines how to execute a received operation. 

executeLocal(ins(x,p), S) { 

»» CONFLICT »» ADD - ADD 

> shiftRight(S, p); // make room for the new character 
==== CH2 / momo54 

> shiftRight(S, p); 

<<<<CONFLICT<<<< 

S[p] = (x, S[p+1 ]. offset); 

S[p+1]. offset = 1; 

broadcast(ins(x, viewToModelD(p, S))); 

} 

executeLocal(del(p), S) { 

S[p+1].offset = S[p+1].offset + S[p]. offset; 

»» CONFLICT »» ADD - ADD 

> int pos = viewToModelD(p, S); 

==== CFI2 / momo54 

»»> CONFLICT »» ADD - ADD 
>> pos = viewToModelD(p, S); 

>==== CH2 / momo54 
» shiftLeft(S, p+1); 

>«« CONFLICT «« 

<<<<CONFLICT<<<< 

broadcast(del(pos)); 

} 


Fig. 10. Local executions in the D-TTF model. 



executeRemote(ins(x,p), S) { 

int sum = 0, i =0; 

while (i < length(S) and sum < p) { 

sum += S[i]. offset; 

} 

shiftRight(S, i); 

S[i] = (x, p-(sum-S[i+1].offset)); 

S[i+1].offset =sum-p+1; 

} 

executeRemote(del(p), S) { 

int sum = 0, i =0; 

while (i < length(S) and sum < p) { 

sum += S[i]. offset; 

} 

if (sum==p) { 

S[i +1 ]. offset = S[i+1]. offset + S[i ]. offset; 

shiftLeft(S,i+1); 

} 

} 


Fig. 11. Remote executions in the D-TTF model. 


Theoretical complexity of every operation execution is 
0(n). However, we can apply the same optimization we use 
for the uncompacted model. The position of the caret in the 
model is stored and updated when user moves. 

IV. Related Work 

During the last decades, the operational transformation 
model has triggered a growing enthusiasm for maintaining 
consistency in collaborative editing systems. Since the initial 
work from Ellis et al. on dOPT [6] algorithm was found 
false regarding the TP 2 properties, two ways of research are 
explored. 

The idea of the first approach is to avoid the need of TP 2 
property. There are mainly two works based on this approach: 
the GOT [28] algorithm and the SOCT4 [29] algorithm. In 
GOT, all operations will be eventually executed in the same 
total order on every site. In this manner, convergence of copies 
is ensured even if transformation functions do not satisfy 
TP\ nor TP‘2 property. These two properties are not required 
because on every site each operation will be transformed 
according to concurrent operations in the same order. This 
algorithm has one drawback. Since in OT approach, local 
operations are always executed immediately on the local copy, 
some local operations could be executed before the arrival 
of some remote operations. However, the executions of these 
remote operations might precede regarding the total order the 
execution of the local operations. To solve this issue, GOT 
uses an undo-do-redo mechanism [28] for undoing the local 
operations, then executes the remote operations and finally 
re-executes the undone operations. This undo-do-redo mecha¬ 
nism requires the exclusion transformation functions which of 
course must satisfy the reversibility property. Unfortunately, 
until now there is no transformation satisfying this property. 
The SOCT4 algorithm relies also on a total order, but in place 


of the undo-do-redo mechanism, it restricts the broadcast of 
local operations. Indeed, in SOCT4, a site can send its local 
operations only if it has integrated all the preceding remote 
operations regarding the total order. This algorithm requires 
only the TPi property to be satisfied on transformation 
functions to ensure convergence. Unfortunately, the continuous 
total order required by SOCT4 is generally implemented 
using a central time-stamper which restricts considerably the 
collaboration interaction practices. Moreover, if there exist 
transformation functions satisfying TP\ condition, they do not 
achieve intention preservation as defined in [13]. Hence, all 
copies will eventually converge to a unique state that might 
violate this definition of intentions of operations. The TTF 
transformation functions could be used to fix correctness issues 
of current collaborative systems based on GOT or SOCT4 
algorithms. 

The purpose of the second approach is to find transformation 
functions satisfying TP 2 property. A lot of integration algo¬ 
rithms, such as adOPTed [23], SOCT2 [25] or GOTO [27], 
were proposed assuming that transformation functions will 
satisfy the TP 2 property. Each algorithm was proposed in 
association with some transformation functions. None of these 
transformation functions are correct regarding TP 2 properties 
as summarised in [11], Authors of [11] have proposed some 
transformation functions, but Li et al [13] have found a 
counter-example for them violating TP 2 and intention preser¬ 
vation. 

It exists a TP 2 counter-example for all existing transfor¬ 
mation functions except the SDT transformation functions. 
SDT [13] stands for State-Difference Transformations. Au¬ 
thors wrote that SDT ensures TPi and TP 2 . Unfortunately, we 
found a counter-example with the help of the SPIKE theorem 
prover [19]. 

When the system has to transform one operation op\ ac¬ 
cording to a second concurrent operation op 2 , it performs 
the following steps. First, it identifies the last common state 
(LSP) from which both concurrent operations were executed. 
Then, it computes the sequence SD of operations that could be 
executed on LSP to lead to the state on which op 2 is defined. 
Next, it computes /3(opi) the potential effect position of opi 
on LSP in excluding SD from op-\. It performs the same with 
op-2 to get /3(op 2 ). Finally, these two positions are compared in 
the transformation for inferring the shift of the effect position 
of opi. 

The Figure 12 describes the SDT counter-example. The 
assumption Siop^ ] = /3(op 2 ) = 6(op :i ) could be satisfied 
if 0P3 is generated on a state preceding the definition state 
of op 2 and op :i . Since, Siop?,) = /3(opn), SDT functions 
compared the effect positions to break the tie between the two 
concurrent operations opz and opu. On site 1, the positions 
are different p{opi\) < p(op-.i) thus positions determine the 
result of the transformations. But, on site 2, the positions are 
equals p(op±\) = p(ops), and then the site priority is used to 
break the tie. Since on two sites, two different mechanisms 
are used to break the tie, a tricky choice in site priorities 
will lead to the divergence illustrated in Figure 12. We also 




Fig. 12. SDT counter-example 


verified the proof published [14], We found that the proof 
of Lemma 5 is incomplete. Indeed, in this proof, authors 
consider two cases: 0 3 —> (0-| || 0 2 ) or 0 3 || (O i || 0 2 ). 
Unfortunately, the proof of Lemma 5 does not consider the 
case where 0 3 —> 0\ and (0 3 || 0 2 ) and (Oi || 0 2 ). The 
counter-example presented in Figure 12 instantiates this latter 
case with: 0 3 = op 2 = del( 2), so 0 3 = opi = ins(2,y) ; 
0 2 = op 3 = ins(2,z) ; Oi = op^i = ins(2,x). 

Consequently, it means that, currently, only TTF can be used 
to instantiate the Ressel’s framework. Other research proposals 
consider that the solution is not to instantiate the Ressel’s 
framework but to propose a new framework. 

ABT [16] is an alternative approach to address consistency 
problems of existing OT algorithms. The first motivation of 
this work was the difficulty to find transformation functions 
that verify TPi and TP 2 . We demonstrate in this paper TPi 
and TP 2 can be easily achieved by simple transformation 
functions. The second motivation is that intentions of opera¬ 
tions must be preserved during transformations, but they were 
not defined in the Ressel’s model and were not formalized 
when defined in [28]. Anyway, we proved in Section III-A, 
TTF preserve order relationships between characters. These 
relationships correspond to the effect relations as defined in 
ABT. Hence, we presented a set of transformation functions 
that verify all requirements described in [16] while keeping the 
Ressel’s model and related integration algorithms. However, 
the ABT model is defined only for linear structures while the 
Ressel’s model is independent of structures of shared data. 

There is another approach which does not transform op¬ 
erations: the Mark & Retrace technique [9]. When a remote 
operation has to be integrated, the document’s address space 


is retraced to the state at the time the operation was generated. 
This retracing is done by marking effective the characters 
which were present at the generation time - even the ones 
which have been deleted afterwards -, and ineffective the 
characters which are inserted concurrently. Then, in the case 
of an insertion, the new character has to be inserted between 
its previous and next character. But, since some concurrent 
inserted and deleted characters might be present between its 
previous and next character, a range-scan function is applied to 
order totally these characters. These functions and their proofs 
of correctness clearly depend on the linear structure of the 
shared object. Thus, applying this technique to other types of 
structure will require designing new algorithms and proving 
them. Moreover, there is no easy optimisation to perform in 
order to garbage operations or deleted characters. Furthermore, 
when working with some particular shared object; it is some¬ 
times impossible to achieve convergence without cancelling 
operations except by allowing transforming them. 

The WOOT framework [20] works in a quite similar way 
to the range-scan function of Mark & Retrace, except that it 
does not require the execution of the retracing process. The 
previous and the next characters between which an operation is 
performed are found in the string using their unique identifiers. 
This feature leverages the requirement of state vectors since 
they might be a weak point in large-scale systems. Unfortu¬ 
nately, the weakness concerning the impossibility to garbage 
characters and operations remains. And, this framework is not 
generic since it relies strongly on some structural precedence 
relation on characters. 

V. Conclusions and Future Work 

In this paper, we proposed the Tombstone Transforma¬ 
tion Functions for maintaining consistency in collaborative 
editing systems based on the operational transformation ap¬ 
proach. These functions satisfy the correctness properties 
TPi and TP 2 , and consequently they are able to preserve 
intentions while ensuring copies convergence. These functions 
can be used with existing integration algorithms such as 
adOPTed [23], SOCT2 [25] or SOCT4 [29] and therefore 
could be easily used to replace the wrong transformations used 
in existing systems. 

In this paper we presented our solution for linear structures, 
but the simplicity of the mechanism offers support for the 
extension to other data structures. 

In collaborative editing systems, the ability to undo op¬ 
erations [21] is a widely used feature. In the operational 
transformation community, several propositions [23], [22], 
[26], [7] have already been made. It is worth to point out 
that maintaining tombstones greatly simplify the design of an 
undo mechanism. Indeed, since all the locations of deleted 
elements are kept, it is easy to restore them at their right place. 
One of the main differences with the previous approaches 
is that undoing the deletion of an element is different from 
inserting this element. This means a new operation has to be 
added in the model. We are currently working [30] on the 



transposition to our TTF model of the correctness properties 
for undo mechanism defined in [7]. 

As future work, we also plan to extend our TTF to string- 
wise operations as described in [28], and hierarchical data 
structures as presented in [4], [10]. 

Our aim is to deploy a collaborative editing system on a 
peer-to-peer network. Actually, most of the OT algorithms that 
do not require a central site are based on version vectors to 
times updates. Unfortunately, version vectors do not scale and 
cannot be used in a system with a large number of sites. We 
are investigating ways of extending operational transformation 
algorithms to fit the requirements of this kind of network. 

Acknowledgments 

We wish to thank Claudia-Lavinia Ignat for her very valu¬ 
able comments and suggestions which helped us to improve 
the presentation of this article. 

References 

[1] S06, an operational transformation-based synchronizer. 
http://www.libresource.org/. 

[2] R A. Bernstein, V. Hadzilacos, and N. Goodman. Concurrency Control 
and Recovery in Database Systems. Addison-Wesley, Boston, MA, USA, 
1987. 

[3] A. Bouhoula. Automated Theorem Proving by Test Set Induction. 
Journal of Symbolic Computation, 23(l):47-77, January 1997. 

[4] A. H. Davis, C. Sun, and J. Lu. Generalizing Operational Transformation 
to the Standard General Markup Language. In Proceedings of the ACM 
Conference on Computer-Supported Cooperative Work - CSCW 2002, 
pages 58-67, New Orleans, Louisiana, USA, November 2002. ACM 
Press. 

[5] X. Defago, A. Schiper, and P. Urban. Total Order Broadcast and 
Multicast Algorithms: Taxonomy and Survey. ACM Computing Surveys, 
36(4):372^121, December 2004. 

[6] C. A. Ellis and S. J. Gibbs. Concurrency Control in Groupware Systems. 
In Proceedings of the ACM SIGMOD Conference on the Management 
of Data - SIGMOD’89, pages 399-407, Portland, Oregon, USA, May 
1989. ACM Press. 

[7] J. Feme, N. Vidot, and M. Cart. Concurrent Undo Operations in 
Collaborative Environments Using Operational Transformation. In 
Proceedings on the Conference on Cooperative Information Systems - 
CoopIS 2004, volume 3290 of Lecture Notes in Computer Science, pages 
155-173, Agia Napa, Cyprus, October 2004. Springer Verlag. 

[8] S. Greenberg. Personalizable Groupware: Accommodating Individual 
Roles and Group Differences. In Proceedings of the European Con¬ 
ference of Computer-Supported Cooperative Work - ECSCW’91, pages 
17-32, Amsterdam, Netherlands, September 1991. Kluwer Academic 
Publishers. 

[9] N. Gu, J. Yang, and Q. Zhang. Consistency Maintenance Based on the 
Mark & Retrace Technique in Groupware Systems. In Proceedings of 
the ACM SIGGROUP Conference on Supporting Group Work - GROUP 
2005, pages 264-273, Sanibel Island, Florida, USA, November 2005. 
ACM Press. 

[10] C.-L. Ignat and M. C. Nome. Customizable Collaborative Editor Relying 
on treeOPT Algorithm. In Proceedings of the European Conference on 
Computer-Supported Cooperative Work - ECSCW 2003, pages 315-334, 
Helsinki, Finland, September 2003. Kluwer Academic Publishers. 

[11] A. Imine, P. Molli, G. Oster, and M. Rusinowitch. Proving Correctness 
of Transformation Functions in Real-Time Groupware. In Proceedings 
of the European Conference on Computer-Supported Cooperative Work 
- ECSCW 2003, pages 277-293, Helsinki, Finland, September 2003. 
Kluwer Academic Publishers. 


[12] L. Lamport. Times, Clocks, and the Ordering of Events in a Distributed 
System. Communications of the ACM, 21(7):558-565, July 1978. 

[13] D. Li and R. Li. Preserving Operation Effects Relation in Group 
Editors. In Proceedings of the ACM Conference on Computer-Supported 
Cooperative Work - CSCW 2004, pages 457^166, Chicago, Illinois, 
USA, November 2004. ACM Press. 

[14] D. Li and R. Li. An Approach to Ensuring Consistency in Peer-to- 
Peer Real-Time Group Editors. Computer-Supported Cooperative Work 

- JCSCW, (to appear): 1-59, 2006. 

[15] R. Li and D. Li. A Landmark-Based Transformation Approach to 
Concurrency Control in Group Editors. In Proceedings of the ACM 
SIGGROUP Conference on Supporting Group Work - GROUP 2005, 
pages 284-293, Sanibel Island, Florida, USA, November 2005. ACM 

[16] R. Li and D. Li. Commutativity-Based Concurrency Control in Group- 
ware. In Proceedings of the IEEE Conference on Collaborative Com¬ 
puting: Networking, Applications and Worksharing - CollaborateCom 
2005, pages 1-10, San Jose, California, USA, December 2005. IEEE 
Computer Society. 

[17] B. Lushman and G. V. Cormack. Proof of Correctness of Ressel’s 
adOPTed Algorithm. Information Processing Letters, 86(3):303—310, 
June 2003. 

[18] P. Molli, G. Oster, H. Skaf-Molli, and A. Imine. Using the Transfor¬ 
mational Approach to Build a Safe and Generic Data Synchronizer. In 
Proceedings of the ACM SIGGROUP Conference on Supporting Group 
Work - GROUP 2003, pages 212-220, Sanibel Island, Florida, USA, 
November 2003. ACM Press. 

[19] G. Oster, P Urso, P. Molli, and A. Imine. Proving Correctness of 
Transformation Functions in Collaborative Editing Systems. Research 
Report RR-5795, LORLA - INRIA Lorraine, December 2005. 

[20] G. Oster, P. Urso, P. Molli, and A. Imine. Real-Time Group Editors 
Without Operational Transformation. Research Report RR-5580, LORIA 

- INRIA Lorraine, May 2005. 

[21] A. Prakash and M. J. Knister. A Framework for Undoing Actions 
in Collaborative Systems. ACM Transactions on Computer-Human 
Interaction, l(4):295-330, December 1994. 

[22] M. Ressel and R. Gunzenhauser. Reducing the Problems of Group Undo. 
In Proceedings of the ACM SIGGROUP Conference on Supporting 
Group Work - GROUP’99, pages 131-139, Phoenix, Arizona, USA, 
November 1999. ACM Press. 

[23] M. Ressel, D. Nitsche-Ruhland, and R. Gunzenhauser. An Integrating, 
Transformation-Oriented Approach to Concurrency Control and Undo 
in Group Editors. In Proceedings of the ACM Conference on Computer- 
Supported Cooperative Work - CSCW’96, pages 288-297, Boston, 
Massachusetts, USA, November 1996. ACM Press. 

[24] Y. Saito and M. Shapiro. Optimistic Replication. ACM Computing 
Surveys, 37(1):42-81, 2005. 

[25] M. Suleiman, M. Cart, and J. Feme. Concurrent Operations in a 
Distributed and Mobile Collaborative Environment. In Proceedings of 
the International Conference on Data Engineering - ICDE’98, pages 
36-45, Orlando, Florida, USA, February 1998. IEEE Computer Society. 

[26] C. Sun. Undo as Concurrent Inverse in Group Editors. ACM Transac¬ 
tions on Computer-Human Interaction, 9(4):309-361, December 2002. 

[27] C. Sun and C. Ellis. Operational Transformation in Real-Time Group Ed¬ 
itors: Issues, Algorithms and Achievements. In Proceedings of the ACM 
Conference on Computer-Supported Cooperative Work - CSCW’98, 
pages 59-68, Seattle, Washington, USA, November 1998. ACM Press. 

[28] C. Sun, X. Jia, Y. Zhang, Y. Yang, and D. Chen. Achieving Conver¬ 
gence, Causality Preservation, and Intention Preservation in Real-Time 
Cooperative Editing Systems. ACM Transactions on Computer-Human 
Interaction, 5(1):63—108, March 1998. 

[29] N. Vidot, M. Cart, J. Ferrie, and M. Suleiman. Copies Convergence in a 
Distributed Real-Time Collaborative Environment. In Proceedings of the 
ACM Conference on Computer-Supported Cooperative Work - CSCW 
2000, pages 171-180, Philadelphia, Pennsylvania, USA, December 
2000. ACM Press. 

[30] S. Weiss. Annulation de Groupe dans les Editeurs Collaboratifs. Master’s 
Thesis, Universite Henri Poincare - Nancy I, June 2006. 






